Florida and California join a growing minority of states enacting laws protecting a person’s genetic information (Nevada and Alaska also have laws). Florida’s new genetic privacy law, known as Protecting DNA Privacy Act, went into effect on October 1, 2021. California’s governor recently signed the Genetic Information Privacy Act (GIPA) into law on October 6, 2021. It will go into effect on January 1, 2022.

Florida and California take different approaches to their genetic privacy laws. Violations of Protecting DNA Privacy Act are subject to criminal penalties while violations of GIPA are subject to civil penalties. We outline some of the highlights of each below.

In Florida, a business cannot, without express written consent, do any of the following:

  • Collect or retain another person’s DNA sample with the intent to analyze it;
  • Submit another person’s DNA sample for analysis or conduct the analysis on the DNA sample;
  • Disclose the DNA analysis results to a third party; or
  • Sell or otherwise transfer another person’s DNA sample or analysis to a third party even if the DNA sample was originally collected with express consent.

In California, a genetic testing company must:

  • Be transparent about its data collection practices regarding genetic data;
  • Obtain express written consent from individuals to use such data;
  • Implement and maintain reasonable security procedures and practices to protect the consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure; and
  • Establish procedures for the consumer to easily revoke consent, access their genetic data, delete their account and genetic data, and to have their biological sample destroyed.
Effective Date October 1, 2021 January 1, 2022
Individuals Protected Any person who has their DNA sample collected in Florida is protected California residents
Regulated Entities Any person or entity who collects, uses, retains, or maintains a DNA sample or the results of a DNA analysis or conducts the DNA analysis is covered GIPA applies to direct-to-consumer genetic testing companies, meaning a company that meets one of the following:
  • Sells, markets, interprets, or offers genetic testing products or services directly to consumers;
  • Collects, uses, maintains, or discloses genetic data from another direct-to-consumer genetic testing product or service or is directly provided by a consumer.
Requirements Entities in Florida that collect DNA samples will need to obtain express consent from the person giving the DNA sample. Entities can use a single express consent form to authorize every instance of a specified purpose or use. Additionally, entities that perform DNA analysis or receives the results must provide the person with a notice that the analysis was performed. Entities in California must be transparent about the business’s privacy practices regarding genetic data. They also must obtain express consent from consumers for the collection, use, and disclosure of the consumer’s genetic data. They must obtain separate, express consent for use of the genetic data for different uses and before transferring it to parties other than service providers. They must obtain consent before directly marketing based on consumer’s genetic data or third party marketing based on a consumer’s order, purchase, use of a genetic testing product or service. Business are required to have reasonable security procedures and practices to protect the consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure. They must give consumers a way to easily withdraw consent, provide access to data, allow consumers to delete their account, and request destructions of their DNA samples. Companies cannot discriminate against consumers that exercise their rights.
Enforceability The Protecting DNA Privacy Act does not include a private right of action. The law will be enforced by the state. There is no cure period. GIPA does not create a private right of action. The law is enforced exclusively through the Attorney General, district attorney, county attorney, city attorney, or city prosecutor. There is a 30-day period for the company to comply with a request to revoke consent, but no other cure period.
Penalties for Violation of the Law The criminal penalties range from first degree misdemeanor for the unlawful collection of another person’s DNA sample with the intent to perform a DNA analysis to second degree felony for the unlawful sell or transfer of another person’s DNA sample or results of DNA analysis even if the person originally gave express consent for the collection and retention of the DNA sample. For a negligent violation of the law, the court can assess a penalty capped at $1,000 plus court costs. For a willful violation of the law, the court can assess a penalty capped at $10,000 plus court costs. The assessed penalties are paid directly to the consumer whose genetic data was used. Each violation can be assessed a separate penalty.
Exceptions If the DNA sample, analysis, or results are used for criminal investigations, compliance with lawful court orders, compliance with federal law, determining paternity, or conducting research that is subject to federal regulations. The law exempts certain entities governed by federal regulations, certain universities conducting scientific research, California Newborn Screening Program, tests conducted to diagnose whether an individual has a specific disease, and genetic data used or maintained by an employer or disclosed to an employer by the employee to comply with other laws or regulations.

This overview is not a substitute for considering Florida’s Protecting DNA Privacy Act and California’s Genetic Information Privacy Act and their requirements in their entireties.